The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which since last September has taken credit for the hits against banks, claimed its attacks were in protest of a YouTube movie trailer deemed offensive to Muslims. But some observers have speculated that Iran was backing the DDoS strikes against banks as payback for cyber-espionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems.

Rodney Joffe, senior technologist for online security provider Neustar Inc., says the current lull could be a sign that the attacks waged by the hacktivist group are over. "It's a wild conjecture," Joffe says. "But we may have seen the end of them."

Joffe says indirect activity linked to the al-Qassam Cyber Fighters' botnet, known as Brobot, has continued. But there have been no direct attacks. And that lack of activity raises questions about whether al-Qassam will wage any more attacks, Joffe says.

"The botnet is no bigger than it was," he says. "We take [compromised] machines down and then new machines keep getting adding. I still have hope that the government will have some impact or effect, but don't know one way or the other."

The Federal Bureau of Investigation in April warned that Brobot had been modified, "in an attempt to increase the effectiveness with which the [botnet's] scripts evade detection." The FBI said the actors behind Brobot were changing their attack methodology to circumvent mitigation efforts put forth by U.S. banking institutions (see FBI: DDoS Botnet Has Been Modified).

The FBI also noted that as of April 10, 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of "various degrees of impact" since September.

Financial fraud expert Avivah Litan, an analyst at Gartner, says intervention from federal authorities may have spurred al-Qassam to halt its attacks. But, like Joffe, she says there is no way to be sure. "I do know the banks were trying to get the White House to do something politically, and that could be what's happened."

But other experts, such as Mike Smith of Web security provider Akamai Technologies, don't think there's been anything going on behind the scenes to keep the attacks from resuming.

Different Attack Actors

Other experts anticipate that another group could emerge to resume DDoS attacks against banks if Izz ad-Din al-Qassam Cyber Fighters ends its campaigns.

"There has been a lull in the al-Qassam-like attacks," says Scott Hammack, CEO of DDoS-mitigation provider Prolexic. "But I would definitely not misunderstand this lull as being an end to these types of attacks. The attacks will continue; it's really just a question of when, not if."

The current break comes after a third phase of hacktivist attacks, which kicked off in March. The latest campaign ran eight weeks, the longest-running so far.

The break from the third phase of attacks has lasted four weeks so far. By comparison the break between the first campaign, which began Sept. 18, and the second campaign, which kicked off Dec. 10, lasted six weeks. And the break between the second and third campaigns lasted five weeks.

Hammack, like Smith, says Brobot, as well as other botnets, continue to grow. In fact, over Memorial Day weekend, Prolexic helped to mitigate a 167-gigabyte DNS-reflection attack, the largest attack recorded to date, Hammack says. "The attack traffic was global and required us to use all four of our cloud-based scrubbing centers," he says.

DNS-reflection was the attack method used in Operation Stophaus, an attack waged in March by The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam. And while it's not an extremely sophisticated type of attack, Hammack says these types of DDoS strikes are only going to become more prevalent.

"There are plenty of countries where rogue elements will continue to exist," he says. "You're never going to overcome that. I think, if anything, people should be taking advantage of this down time to fortify their infrastructures."

The application-layer attacks al-Qassam Cyber Fighters favored in its last two campaigns have remained inactive, despite that the group appears to continue efforts to grow and strengthen its botnet. "The botnets are out there," Hanmmack says. "We have between 15,000 and 100,000 compromised web servers out there that we know of. So the artillery is still out there to create these types of attacks. We just haven't seen any of the web server attacks for the last 30 days."

Many experts predicted the group's attacks against banks would resume by May 14. But they didn't.

Some have speculated that international law enforcement could be close to nailing members of the al-Qassam team. But Hammack says drawing conclusions based on the ebbs and flows of DDoS attacks is dangerous because hacktivists attack in waves.

"Certain attacks die down after certain periods," he says. "That doesn't mean, though, that the attacks are over."

Banking institution leaders say they've been advised by groups such as the Financial Services Information Sharing and Analysis Center not to lessen their DDoS mitigation efforts. Litan says banks are heeding that advice.

"The banks have more vendors involved now," she says. "I don't think they'll ever pull back. They have put a lot of systems in. They really can't go back now, and they shouldn't."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.